Arthur Coviello | Positive signs in cybersecurity

 

Connecting state and local government leaders

When it comes to matters of national cybersecurity, RSA President Arthur Coviello has been one of the most vocal technology executives ' and, at times, one of the most critical. But Coviello, a frequent critic of the administration's approach to cybersecurity, is seeing signs of real leadership.

When it comes to matters of national cybersecurity, RSA President Arthur Coviello has been one of the most vocal technology executives ' and, at times, one of the most critical. In the past few years, Coviello has called for the elevation of a cybersecurity czar with proper budget authority at the Homeland Security Department. He has also called for government to take a more active role in network security. GCN talked with Coviello to find out what he thinks about recent changes in federal law and management objectives. We also wanted to find out more about EMC's purchase of RSA, which completed last year. At the high end, we can provide a smart card with a digital certificate that can do a digital signature. At the highest-volume end, we have a methodology based on pattern recognition that allows a company to provide a risk score [of how likely people are who they] say they are, based on a pattern of activity that has been established.For instance, if you do online banking, historically you would provide your user name and password at the bank's site. What we have done with a number of banks responding to the [Federal Deposit Insurance Corp.] recommendations for strong authentication, is to provide a technology that looks for consistency in [user behaviors] ' things like screen resolution, the IP address you access the site from, the time of day, the type of transactions you engage in.Based on a consistent pattern of access, we can determine that it is you. If you don't come in from the same IP address or you try to wire-transfer money to Lafia, [Nigeria], we have a pretty good idea that it is not you. We develop a risk score depending on how many of those characteristics you are consistent with. If you did some type of anomalous transaction, like wire-transfer money to a sick relative in San Francisco, we would ask for more identification.We might require you to phone the bank. We might require you to answer a series of life questions. We recently introduced a voice-based biometric where you could call a bank and identify yourself. So we don't stop the transaction from occurring, but we adapt to the fact and circumstances and risks involved.This pattern-recognition technology that we've rolled out in the consumer marketplace in the past year can also be applied to government/citizen type of interactions and even internal government agency work as well. We will introduce that technology over time. In the fall of 2005, the consortium of federal regulators ' [consisting of] the FDIC, the Federal Reserve, the Office of Thrift Supervision and others ' came together to make a recommendation to all of the financial-services institutions that, by the end of 2006, they should adopt something stronger than a private password to authenticate transactions.We think that that is government leadership at its best. It responds to a real need to address the threats of malware and spyware that capture the keystrokes and passwords. It does it without regulation. It was just a recommendation of the best practice, and yet the financial institutions responded and started to implement solutions in a big, big way.We see this [leadership] with the Office of Management and Budget as well. [With FISMA], all the OMB came out with was recommendations around best practices. They did not mandate technology solutions, they did not recommend technology solutions.Other than the [Homeland Security Presidential Directive 12], which is a specification developed internally that vendors have to develop to, they've not been technology-specific. OMB is just recommending best practices that are out there and have been followed by industry in the past.I've been a fairly vocal critic on how the administration did not follow through with the National Strategy to Secure Cyberspace that was laid out in 2003. But in the last year, we've seen significant change in government leadership.The FDIC is one example. Another came from the state of California with their Senate Bill 1386, [which required companies to notify customers about security breaches that exposed personal information]. It's had a dramatic effect on breach notifications. All of these [announced data breaches] might not have hit the press without the benefit of this breach notification.As bad as those breaches were, and as much as they eroded consumer confidence, they have caused a sea change in companies. Now companies risk loss of reputation and, thanks to the Federal Trade Commission, even significant fines.The third element we're very pleased to see is [DHS] Secretary Michael Chertoff appointing an assistant secretary for securing cyberspace and telecommunications, [Greg Garcia]. We had an opportunity to meet with him, and he assembled a very strong team, and we expect him now to go about executing the president's strategy. So we've seen a significant change. EMC developed a franchise out of a specific focus on storage and [is now moving to] a broader franchise on IT infrastructure generally, and that encompasses four elements: Storing the information, managing the information, optimizing and protecting information.Under the realm of protecting information, they came to us for information security.In information security, there is a growing recognition that the perimeter defense that we've all grown to love ' which is composed of antivirus, firewall, virtual private networks and the like ' is not sufficient. The nature of threats has evolved. If you ask most customers if their perimeter is secure, they will say yes. If you ask if their information is secure, they would not be so sure.Information is dynamic. It moves from storage to the database to the application, to the user and back again. It doesn't stay static, so to really protect information you have to take an information-centric approach. One does that by identifying and protecting the people who get access to the information. Another element is defining what level of access to information people should get. Another element is protecting the data as it moves and when it is at rest. At rest, we encrypt. As it moves, we can also encrypt, but there are other elements of making sure it only moves directionally where it ought to.

"There is a growing recognition that the perimeter defense that we've all grown to love ' antivirus, firewall, virtual private networks ' is not sufficient." - Arthur Coviello

Sylvia Stagg-Giuliano



GCN: The Federal Information Security Management Act calls for two-factor authentication. What would you recommend agencies use for the second form of authentication ' in addition to passwords?

Coviello:





GCN: What happens if I try to access my account by atypical means?

Coviello:





GCN: Can you explain a bit more about the government banking regulations concerning online access control?

Coviello:















GCN: Why did EMC purchase RSA?

Coviello:





NEXT STORY: Bill calls for employment database

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.